I was reading https://www.freeipa.org/page/Apache_Group_Based_Authorization but failed to implement that for AD users. The problem is that Kerberos authenticates myuser0...@mywindows.domain.at but there is no corresponding entry in on the AD domain controller. The available user attributes in the LDAP directory look like 'myuser0815' (samaccountname) or 'myuser0...@someupnsuffix.domain.at' (userprincipalname).

GssapiLocalName or KrbLocalUserMapping would only map to locally existing users, right? I tried them both and still saw 'myuser0...@mywindows.domain.at' leading to:

[Tue Sep 26 17:14:40.758545 2017] [authnz_ldap:debug] [pid 11160] mod_authnz_ldap.c(824): [client] AH01710: ldap authorize: Creating LDAP req structure [Tue Sep 26 17:14:40.793095 2017] [authnz_ldap:debug] [pid 11160] mod_authnz_ldap.c(838): [client] AH01711: auth_ldap authorise: User DN not found, User not found

Any ideas what I could try next?

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to